CVE-2023-53936

MEDIUM 4.8

Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.

CWE	CWE-79
Vendor	tuzitio
Product	cameleon cms
Published	Dec 18, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for tuzitio cameleon cms

Be the first to know when new medium vulnerabilities affecting tuzitio cameleon cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

tuzitio / Cameleon CMS

2.7.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51446 github.com: https://github.com/owen2345/camaleon-cms vulncheck.com: https://www.vulncheck.com/advisories/cameleon-cms-authenticated-persistent-cross-site-scripting-via-post-creation

Credits

Yasin Gergin